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^iiis  pa^^er  introduces  a  ciattiemat ical  Irameworii  for  evaluating 
tue  relatiunsnip  Qet«ween  policies  ana  :;iecnanisa\s .  An  evaluation 
ap^roacn  caxlea  tue  assic^nment  tecnniciue  is  defined  •  Inis  tech- 
aipue  consists  of  estaolisnint^  an  assit^nment  oet^een  trie  security 
cxassed  of  information  estaolisned  dy  policy  constraints,  and  tne 
protection  aocaains,  establisnea  by  the  proper tie^s  of  tne  mechan- 
isui.  Ine  assit^naent  tecnni^iue  provides  a  tneoreticai  foundation 
for  assessing  tne  sufficiency  of  an  access  control  mechanism  with 
respect  to  a  well  formed  protection  policy •  AlthouaU  this  paper 
presents  preliminary  results  of  research ,  tne  proposed  framework 
sUfoeiests  a  promisiria  new  approacn  for  evaluating  tne  protection 


mecnaaisms  of  existing  and  proposed  systems^ 
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X r R'o  J  ^ '2 1 0 

Tne  suitaciility  of  a  proi;ec^ion  meciianiam  for  any  ^iven  secu- 
ritj  poliCj  iii  noz  always  apparent .  Tnis  paper  presents  a 
tiieoretical  fouaaation  for  assessing  the  sufficiency  cf  an  access 
contro-L  uiecaanism  as  a  means  of  enforcine,  a  non-aiscret ionary 
security  poxicy .  a  techniviue ,  termea  ixsai^nZi^nt ,  estabiisnes  a 
rexationsni^  between  tne  iniormat ion  sensitivities  of  the  systec 
entities  \,partionec  accorain^  to  policy  constraints),  and  aoai- 
nance  aouiains  (innerently  estaulishea  oy  a  protection  mechanism). 
Ine  assie^nment  techniq.ue  provides  a  method  for  mechanism  valiaa- 
tion,  since  the  results  of  the  assignment  can  be  evaluatea  to 
establish  whether  or  not  the  constraints  of  the  policy  are  met  - 

Ihe  assignment  techniv^ue  was  aeveloped  as  a  means  of  identi¬ 
fying  tne  limitations  of  well-formed  access  control  mechanisms. 
Tne  initial  investigation  examinea  tne  feasibility  of  using  the 
I'iUxiics  ring  mechanism  LOj  a  means  of  enforcing  ^  hierarchi¬ 
cal  compromise  policy.  Our  basic  ..ational  security  policy  j  is 
a  well  isinowa  example.  ^t  was  established  oy  assignment  (as  is 
siiGWfi  in  tnis  paper)  that  tne  Iluitics  ring  mechanism,  of  itself, 
cannot  pTOviue  this  security.  on  the  other  hanu ,  it  is  snown 
tnat  tne  iraltics  rino  mechanism  does  enforce  an  important  form  of 
prce^ram  ii^te^rit^f  policy.  This  program  inte^^ritj  mecnanism  can 
be  usea  to  aelimit  a  most  privilegeu  set  of  programs  known  as  the 
security  kernel  '^he  security  kernel  in  turn  prcvjLaes  a 
mecnanism  sufficient  to  enforce  uther  security,  inteerity  or 
access  control  policies.  Thus,  witn  the  security  kernel 
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Lcounoioc^’ ,  tiue  riri^  raecaaxiidci  1^3  oUir4.Qient  lor  earorcina  co:c- 
;wxA  uer  6ecar i  uj  •  By  usin^  as^i^xment ,  we  aave  ^aineu  a  oiucn 
oe  u  oer  unaertJTicnainj^  01‘  t;ue  cayaoixit:ieo  ana  limitations  of  a 
rin^.  protection  xecuanisc,  and  have  introauced  a  tool  for  the 
assfesbffient  oi  otiier  protection  aecnanisms . 


A.. . 


r>  . . 


r'iwX  j.  r  i-Zo  ^  r 


In  oraer  to  cleiiriy  yreiierit  tne  assignment  tecnnique  we  be^in 
witn  a  discussion  oi'  tne  princii;les  ci  access  control*  Znis  is 
necessary  because  mucn  of  tne  irif ornat ion  puciishea  in  this  area 
appears  to  be  imprecise  or  even  coat raaictory  in  nature .  Gome  of 
tne  terniinolCj^y  usea  in  tnis  paper  may  also  appear  to  ccntrauict 
otner  authors .  Inese  a if Terences  ana  aist inctions  are  inten¬ 
tional  ana  will  oe  aiscussea  in  greater  aetail  in  an  anticipatea 
tnesis  l‘‘tj  by  i-t.  Snirley*  Tnis  paper  merely  addresses  the 
basic  frameworK  whicn  we  choose  for  our  discussion, 

^att ice  Security  Policies 

A  security  policy  is  oasea  upon  external  laws,  rules,  regula¬ 
tions  ana  otner  mandates  that  estaoiish  what  access  to  informa¬ 
tion  is  to  be  peraittea.  choose  as  our  universe  of  discourse 
tne  lattice  security  policies  as  identifiea  by  Walters  [,15]  und 
later  also  described  by  l^ennin^  [5  j  •  These  universally  bounded 
lattice  structures  consist  of  finite,  partially  orderea  sets  of 
access  classes ,  each  nav in^  a  least  upper  ana  greatest  lower 
bound.  Tnis  class  of  policies  encompasses  many  (if  not  all) 
practical  policies .  bucn  policies  are  of  primary  interest  to 
^•ationai  defense  because  ail  non-discret ionary  security  policies 
can  ue  represented  as  a  lattice  policy .  To  be  effective,  such 
policies  must  clearly  establisn  an  access  class  for  all  system 
entities,  i.e.,  subjects  ^tne  active  entities)  and  objects  (the 


passive  entities  tnat  may  be  reierenced  by  a  subject),  further- 


poxiCj  iHutju  p6r^lssici.d  u.cc6ss  r^x^'Clun^ 

L:ie  Jucjectd  ar*u  ob^^ecco  ol*  variOuS  cj^ui valenct^  claast^s. 
xi’  ix  ^uliCj  «ere  aou  iicie  zo  taese  re^uireiien  ,  t'ne 

t^Ax  O r C t/  G1  t^AG  GOxlcy  COUXA  liOt)  C<^  ^V^xu^'t^iU* 


i. oLe  iiiaz  we  diot iug^uieh  between  ^rocejises  and  suGjeCwS 


xiis  paper*  Tnis 

is 

necessar  y 

because  of 

the 

ambi^jUity  that 

k X ^n t  resuxt  wii-iAQUu 

tne 

distinct 

notion  of 

a 

5  u  0  j  ec  t  as  a 

-rocess-uomain  pair 

L^. 

1  J ,  particularly  when 

w'  e 

present  a  for- 

^uaii^eu  aei'inition  of  a  aomain. 

txQoesQ  Relations 

nAy  si;ecific  policy  will  distinguish  one  or  core  distinct 
access  relations  between  suujects  and  oojects-  These  are  typi- 
caxly  cirrorea  in  tne  ’’access  code"  of  tne  oorresponaing^  protec¬ 
tion  cecnanism. 

Two  generic  access  modes  are  sufficient  for  a  general  discus¬ 
sion  of  tne  principles  and  policies  discussea  in  this  paper* 
Tnese  are  lTj  ’’observe”  (the  ability  to  observe  information)  ana 
’’moaixy”  {zae  aoility  to  modify  infortuation)  .  Otner  primitive 
access  aioaes  are  generally  just  a  finer  granularity  of  observa¬ 
tion  ana  modif ication  priviledges. 

Tne  cniorceoient  of  a  policy  is  fundamentally  limited  by  the 
system*  s  granularity  of  access .  Policies  that  prescr i ce  aist inc- 
tions  not  recogniseu  by  the  access  control  mecnanisms  must  be 
enforcea  in  an  overly  restrictive  manner  or  i^norea*  for  exam- 


7 


ci  yclicj  addressing  a  concatenation  access  relation  cannot 
cc  precisely  enforced  on,  a  system  that  aoes  not  recoe^^nise  some 
t G r ui  ox  appetid  access  mocie« 

Inc  granularity  ox  access  control  witnin  a  system  is  depen¬ 
dent  upon  tne  anility  to  distinguish  attributes  of  subjects  ana 
selects  ana  upon  tne  variety  of  access  modes  available.  Tne 
primitive  access  modes  are  associated  witn  tne  design  of  the  sys¬ 
tem,  incxuQing  tne  protection  mechanisms,  and  designate  the  asso¬ 
ciated  rx^nts  outained  oy  an  access  re-q^uest- 

nil  access  relation  is  a  tuple  (  su eject,  access  mode, 
ooject;*  Tnis  tuple  signifies  tnat  a  relation  oetween  the  subject 
and  oOject  exist  such  that  tne  subject  is  permitted  to  access  tne 
ooject  witn  all  the  privileges  associated  with  tne  access  mode. 
Tne  prooiem  of  information  security  may  generally  be  expressed  as 
tne  problem  of  permitting  the  existence  of  only  those  access 
relations  tnat  in  no  way  violate  any  of  the  applicable  systems 
policies . 

masic  .<at ional  security  Policy  Example 

Tne  oas ic  .•ational  Security  policy  is  a  simple  lattice  pol¬ 
icy.  Tne  defines  entities  as  memoers  of  one  of  four 
nierarcnical  access  classes  (  xalO  t  , 
T^r  JmdnxiT ;  .  Tne  greatest  lower  bound  is  u^*dLAo3Ii:  lEo  and  the 
least  up^er  buuni  is  Ts^r  Eigure  t(,n)  represents  this 
lattice  structure. 
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.Oder ve 


1  wou 


^ cserve  j I 


jJ  ilxi  X  njj 


vjDserve  ( | 


(Modify 


0*4^  Xtxi 


Xdi.> 


r i^ure  1 

:  ie^ure  HB)  anowd  tae  inforriat  ion  flo'^  caarac  uerist  ica  ci' 
L.iid  lattice  ^oiicy  L^j*  Inis  iniorniat ion  traridi'er  patn  l  ^ j 
be  ariaiydeo  wicn  redpeut  to  oerjiissioie  access  relationa. 


bascQ  on  tnis  aiial^sis  of  the  periiisdioie  access  relations 
bet'^een  ^subjects  ana  oojects  with)  the  various  access  classes, 

we  derive  an  alternative  ixlustratiun  forx  tnat  is  convenient  for 

0 

our  analysis.  figure  1(C)  illustrates  the  basic  .national  Cecu- 

rity  policy  usin^  tnis  form.  *'l40te  tnat  a  none  represents  an 

# 

ev^ui valence  class  of  entities  all  of  whicn  nave  the  s ame  access 
class.  A  directea  arc  represents  the  peraiissible  access 


r^xcxZiOLiio  ilrOiL  a  oucject  cf  tuc  source  equivuience  cuass 

oi‘  wr**=  uest inaiiiori  equivalence  class.  Transitivity  oi 
access  relations  is  not  shOivn  out  is  assumea . 

uecall  tnat  a  systeci  is  "secure"  il  there  are  no  access  rela¬ 
tions  that  violate  any  appxicable  policy.  Tne  Jiinple  security 

vJonaitiori  1  j  states  tnat  ii  ooserve  access  is  perGLitted,  tnen 

tne  access  Gj.as3  oi  tne  suoject  is  greater  than  ur  equal  to  the 

access  class  of  tne  ooject.  Tne  "Confinement  Property"  —  his¬ 
torically  anown  oy  the  less  descriptive  name  of  *  -  Property  L^J 
—  states  that  if  modify  access  is  permittee,  tnen  the  access 
class  of  tne  subject  is  less  than  or  equal  to  the  access  class  of 
trie  oo^ect.  can  see  that  rigure  I^C)  is  derived  airectly  from 

tnese  two  properties. 

nCcess  i^omains 

Jo  far,  we  have  concentratea  on  tne  properties  of  policies, 
.^e  r.ow  examine  the  properties  of  the  protection  mecnanisms  usea 
to  enforce  security  policies.  The  principle  notion  we  use  is 
tnat  of  an  access  domain. 

rtU  access  domain  ,  is  a  tuple,  (  ,  a^ »  •••»  a^,  ..., 

jf  wnere  n  is  the  numoer  of  primitive  access  modes  in  the  system, 

ix n u  a ^  io  Uiie  oet  Ox  a uu  oo^ecoo,  I  oi,  O'*,  ...,  w,.,  | 

<*•  ‘  ^  o  ■“ 

wnicn  a  process  executiiig  in  uomain  may  access  by  access  mode 
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^  liCCtido  L^OQta  j-doinaia 


/ u  .  e c  w3 


rtiiica  !a.  ^rO'jcwj  *:3 X c.' a  j i a t_.  if*  ta>it  dOuiciin  aud  tht  ri^av  ucccjs 

jL^rfC^wasixa.;-  wO  •  k.cjLi  Xi.wl<4XixI*  iH.4  0Cl^5« 


.>0il31^Ji^r  vatf  ^Oi.xOWjk.Ii;^  o'mO  vi01*^^lUoZ 


^  wO30rVd<v^j2  *'iUCLixys*'Ojlrv,->,-:-|  } 

A  ^  :  V  ^  •  I  ,  u  ,  ^  ,  j  i  ,  i-i :  I  (^  i  / 

^lic  ubserve-uoiiiaiti  oi  v  denotea  a3  objects  r>, 


,  ana  u .  i.x*e  moa 


iiy-doiaain  .‘.Ap  is  empty. 


A  st^z  of  dominance  domains  are  implicitly  established  by  the 
system*3  protection  mecnanisms.  Tne  dominance  domains  are  not 
associated  with  any  particularization  of  processes  and  oojects, 
but  ratuer  dominate  all  the  domains  that  may  occur  in  the  sys- 


dominance  domains  may  be  uniq_uely  labeled  for  convenience. 
xH  tne  i*ultics  system,  for  example,  the  dominance  domains  esta- 
oxisned  by  tne  rin^  mecnanism  were  known  as  rin^s  ano  -.vere 
iaoelea  uy  rin^  numoers.  3chrceder*s  protection  mecnanism  also 
uses  iiumoers  as  laoels  for  dominance  domains 

i^e  sa^  tnat  A  ]  dominates  o<^  )  A  ^  ii"i'  each  ,  a,- A2 
^  systems  protection  mechanism  then,  establishes  a 
set  of  dominance  domains  wnich  we  can  use  for  validation  of  pro¬ 
tection  mecnanisms.  Because  tnese  domains  dominate  all  other 
domains  tnat  may  occur  in  the  system ,  if  we  can  show  tnat  our 


wOxicy  liuxad  i'or  tiiese  aL/U^ains,  v;e  nave  snown  Zi'ib.Z  it  nolcs  I’or 

t:lc  ^y^ttiui* 

tiiio  ^aper,  vve  cuuuiie  to  cunyiaer  only  protection  mecnan- 
ioits  wniun  estaoliou  a  aniversally  bounaed  lattice  of  dominance 
aomains.  Jucn  mecnanismd  represent  an  interesting^  suoset  of  pro¬ 
tection  mecnanisms  and  proviae  simplicity  in  tnis  discussion. 


Ine  riSsi^nment  iecnni^ue 


nssit^nment  is  tne  estabiishment  oi  a  relationsnip  bet;veen  two 
entities  sucn  that  tne  first  entity  is  ”assie,nea  to"  the  second 
entity.  Uatnemat ically ,  the  term  assignment  is  not  significant, 
one  coula  easily  nave  saia  that  entity  1  is  relateu  to  entity  2 . 
Intuitively,  nowever,  assignment  is  associated  with  the  connota¬ 
tion  "to  fix  authoritatively"  wnicn  precisely  sie^nifies  our 
notion  of  tnis  ^rocess. 


rtssignment  may  ce  denoted  by  a  grapn  from  the  first  entity  to 
tne  second  as  follows: 


/vssignment  does  not  alter  eitner  entity.  Rather,  a  relation- 
snip  between  tne  entities  is  established  which  can  be  expressed 


in  the  form  of  a  tuple  as  follows: 


r - - ' 

•  » 

i  A  .  -  ‘ 


^  'vy  i.-*  n-3  O  -/  O  4  in  A  .  * 

" is  aj^ic^nea  to" 

.wCj^aralcbo  of  tae  mear^d  of  rej^reseniation,  ass i^^arxieat  Is  -.srely 
::ae  act  of  associating  an  entity  or  set  of  entities  -.^ita  soxe 
otaer  entity  or  set  of  entities. 

lae  essence  of  tae  assi^naient  techni^^ue  is  relatively  sitiple. 
first  of  all,  consider  tne  nature  of  a  lattice  security  ^:olicy. 
Juen  a  policy  partitions  the  objects  of  a  systea  into  a  lattice 
of  ei^uivaience  classes,  ciach  e^.uivaience  class  can  ue  thoue^nt  of 
as  an  entity  subject  to  assigntaent. 

Inen  consiaer  a  inecnanism,  whicn  estaclishes  a  lattice  of 
uoioinarice  aoitains.  Zach  of  these  uociains  can  also  be  thougnt  of 
as  an  entity  subject  to  assignment. 

fince  an  assignment  can  be  establinned  between  any  two  enti¬ 
ties,  we  can  maxce  an  assignment  between  the  equivalence  classes 
estaoxisneu  oy  a  lattice  security  policy  and  the  dominance 
JO  mains  tnat  are  estaolisnea  by  some  protect  ion  mechanism.  .>e 
tucu  validate  tnat  \,iur  tnis  assignment)  tne  mecnanism  is  suffi¬ 
cient  to  support  that  policy.  This  determination  is  made  by  exa¬ 
mining  trie  set  of  access  relations  that  tne  mecnanism  permits, 
and  testing  for  possiole  violations  of  the  policy. 

we  are  now  ready  to  illustrate  now  we  may  use  this  assignment 
tecruii^ue  to  evaluate  protection  mechanisms  used  in  the  design  of 
secure  computer  systems. 


1:5 


M 


X  ^  rv  X  . 


KJ  X  ^ 


*ucJ  ua u i-tic o s  01  btssi^niueno  ot^cnniout?  sipi-^^ro  zo  oc 
ruoiier  far  r^jacain^  in  Researca  carrenoiy  anoerway  is 
inveoTii^ai^ino  ^  nunioer  of  possibilities.  fais  paper  aadresses 
Only  a  fe'H  of  tne  possible  applications.  Ine  authors  ^hcleheart- 
ealy  invite  tne  reaaer  to  su^tiest  areas  of  further  rx^searcn. 
aaait ionally ,  cocicients,  opinions,  and  researcn  finain^^  re-Lateu 
to  tne  assi^naent  tecnnique  are  soliciteu. 

i-iUlt ics  King  Mechanism  Assignments 

Ine  q^uest ion  of  the  sufficiency  of  tne  Mult ics  Ring  ..ecnanism 
for  enforcement  of  tne  basic  ..ational  becurity  policy  was  the 
initial  problem  that  promptea  the  current  researcn  effort  ana  led 
to  tne  formulation  of  tne  assignment  tecnni^ue.  it  is  appropri- 
at:i  tnen,  tnat  tuis  paper  present  tnis  analysis  as  an  introauc- 
tory  application  of  simple  assignment . 

Compromise  Policy .  statea  previously  in  tnis  paper,  the 
oasic  .<atiozial  Security  policy  is  a  simple  lattice  security  pol¬ 
icy.  Figure  HC)  illustrates  this  policy. 

ine  dominance  aomains  of  tne  Multics  Ring  mechanism  are  most 
fre>^uentiy  snown  as  concentric  rin^jS  numbered  in  increasing 
integer  oraer  from  tne  innermost  ring  or  tiie  kernel.  The  kernel 
xs  e^eneraliy  assigned  ring  number  o.  For  simplicity,  we  only 
snow  a  system  with  rings  G  thru  3  in  tnis  analysis.  Otner  rin^ 
numoers  «ixl  produce  similar  results. 
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^roc^oG  wiiioii  i3  execuT^iric;  in  ririe,  riuii^oer  1  would  neea  to 
cicartJd  Tor  at  least  im'ornation  acccrain^  to  our  as3i^*a- 

^eut  ooiieiue* 


/lUxtics 

Hiag  ^ecaanism 

diocr iminates  among 

oo^ects  c 

means  of  a  ria 

o  bracket. 

Ine 

rinb  bracket  is  a  3  - 

tuple  1  ?v1 

u*, ,  )  wnere  .\1 

,  Rt-  and  i-O 

are 

rin^  numoers  ana  nl 

i.  Hx 

nCcesiD  to  objects  is  restricted  sucn  tnat  tae  current  rin^^  oi 
execution  oiust  oe  less  ttian  or  equal  to  ric  to  ooserve  inlormat ion 
ana  less  than  or  equal  to  H1  to  ^lodify  iniortiat ion.  Figure  3 
snows  cnaracteristics  of  tne  ring  brackets  both  in  terms  of  the 
access  moaes  usea  in  tnis  paper  and  the  access  modes  used  in  .iul— 
tics . 


Ixecute _ 

f  thing  u  _ 

I  i^rite"  u-iogify )  _ 

Aeaa  ^uoserve; 

Figure  3 

doiioiaer  tnen  an  object  tnat  is  classified  as  JZCRFF.  3ucn 
an  object  must  be  assigned  a  ring  bracket  sucfi  that  it  may  be 
ocserveu  by  processes  in  ring  w  and  ring  1  only-  R*.  must  there¬ 
fore  oe  1  •  rt  proolem  now  becomes  apparent.  ^40  matter  what  value 
we  crioose  for  I\1  ,  we  arts  faced  witn  a  contradiction.  If  is  J 
or  1  then  processes  may  modify  olCRZT  files  violating 

tne  Confinement  Property.  If  K1  is  greater  thin  1,  the  restric¬ 
tions  of  the  ring  mechanism  would  be  violated  (viz.,  n1  >  Ru ) . 
Inerefore,  we  can  conclude  tnat  tnis  assignment  is  not  accept- 
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owiisiaer  now  tae  oaly  ©ta^r  yotentiai  =aS3i^ria:ent  scaeriie  .vaere 
[16  ^r6[:it/63u  x0rt6r  ocjuna  oi  cur  xutit>ic6  la  uo3i^a6u  “Co  rin^ 

a 6  cx^ol^iimdao  ^roaucdvi  id  daov<n  la  ri(j^ur6  4-« 


,ie  aow  atlieupt  to  asdign  ring,  o racket 3  to  an  object  cladsi- 
z‘iea  A  proDlein  occurs  iinmeciiateiy .  We  want  prccessei^ 
executing  in  rin^  to  be  auie  to  ODserve  our  objects,  but 
then  u  process  in  rin^  ,  that  is  o^^bLASoIr  Iko ,  will  also  be  ablt 


0  observe  our  oo^ect 


Ine  Jimple  security  Conuition 


cannot 


“tinis  cjicio  ^so  liTici  3.o3i.5;;[,Tiiii6n'^  scin^c^cj  is  nu"v> 

1  cu>S  i  Ux e  • 

oince  nei  trier  oi  these  ass  it^nxents  are  acce^-tacie ,  ani  shift- 

tile  riu^  assitjiiaents  riuaerically  ^ouiu  ^leld  siiniiar  results, 
we  can  see  tnat  no  assie^niii^nt  will  be  acoeptanie.  Inerefore,  the 
I'iUitics  Rin^  iiecnanisai  is  not  sufficient  to  enforce  the  basic 
iiationai  Jecurity  policy  for  com^roaise . 

fne  basic  i.ational  Integrity  policy  [Rj  dual  ci  the 
oasic  Rational  Jecurity  policy.  .Rhereas  the  security  policy  is 
concernea  with  the  unauthorized  observation  of  information  or 
compromise ,  the  integrity  policy  is  concerned  with  the  unauthor- 
izea  modification  of  information  or  suoversion.  Ine  assignment 
tecnniq^ue  snows  us  tnat  trie  huitics  Ring  necnanism  is  not  suffi¬ 
cient  to  enforce  triis  aual  policy  eitner. 

I'ne  riultica  uing  Rechanisu  is  not  sufficient  to  enforce  the 
oasic  ^lUtional  Jecurity  policy  nor  the  oasic  .national  Integrity 
policy.  l*owever,  a  Muitics  Security  Rernel  has  been  d^signeu 
Ll>j  that  is  sufficient  to  support  coth  of  these  policies.  fliis 
may  seem  to  be  a  contrauiction,  but  it  is  not.  Ine  confusion  is 
aissiputea  wnen  one  asks  the  question,  ’*..'nat  form  of  policy  dees 
tne  uultics  Ririe^  necnanisa  support?'* 

i^rogram  Integri ty  Policy.  The  notion  of  a  program  integrity 
policy  stems  from  tne  aesire  to  prohibit  mouification  of  execut- 
aoie  programs  by  less  trustworthy  subjects.  In  tne  g^eneral  sense, 
wc  wish  to  (insure  that  our  more  sensitive  programs  are 
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u  iaze^r  LZj  ^oxicy,  nc.^ever,  yrc- 
^ra2*  ince,_.rit.^  its  hot;  conc^rnea  witn  tae  isdue  oz’  ycrierax  obser- 
Vcaoioa  oi  iiiZ orxiat i on .  nauHtfr,  pro^razi  irite^rity  zeals  only  A'itn 
Tsjcecut  ion  anx  z*ouii  icat  ion  -  in  zhis  case,  we  re  line  one  access 
-one  "observe'*  to  tnat  Cx  " read/ execute"  access  izode,  taken  in 
tne  sense  oi  tne  e^eneral  vernacular, 

^  pro^raa  integrity  policy  :nust  consider  two  issues,  I'irst, 
eacii  entity  witnin  tne  system  must  have  a  program  inte^^rity 
access  class,  desi^jaateQ  PI,  assi^neu  to  it.  Jecona,  the  oraer- 
ia^  01  pro^^^*^  intSority  access  classes  must  be  I'ixed  accoruing 
to  tne  constraints  of  tne  policy  maker.  xnce  tnese  issues  are 
resoxved,  we  may  guarantee  taat  no  direct  threat  is  possiole  by 
eniurcement  of  tne  following  conuition: 

^ imp le  Pro.^ram  xnte,^r ity  Jendition  :  if  a  sub;;ect  has 
"mouify**  access  to  an  object,  tnen  the  program  integrity  of 
tne  suu^ect  is  greater  than  or  e-oual  to  trie  program 
integrity  of  tne  object. 

->ecause  program  integrity  policies  are  concerned  with  tne 
eAecution  issue,  indirect  modification  of  information  is  not 
strictly  pronioitea.  Inis  provides  a  certain  degree  cf  flexibil¬ 
ity  but  also  produces  a  certain  amount  of  risx  j  •  confinement 
of  execution  neips  to  reduce  the  risk  of  suen  an  indirect  threat. 
Inc  indirect  tnreat  occurs  when  a  subject  executes  a  program  tnat 
nas  oeen  modified  by  another  less  trustwortny  subject.  We  can 
furtaer  see  tne  usefulness  of  confinement  in  a  program  integrity 
policy  by  noting  tnat  this  property  supports  tne  use  of  library 
function.  In  a  manner  directly  analogous  to  that  for  the 


.iciLiuii-il  policy  ue  a^xiuti  ^ac  ooni ineuien^  property 

tor  pro^rao*  irite^^ritj  as  followo  : 

r rOf^ram  Integrity  woni'inexent  r roperty  :  Ii  a  subject  has 
execute  access  to  an  oo^ect  tncri  t:;e  prc^rau  lntee;rity  of 
tne  Owject  is  j^r eater  tnan  or  equal  to  tne  program  intec^ri tj 
of  tne  subject • 

Ine  onaractcr istics  of  an  exat*pie  pro^rari  inte^^rity  policy  in 
terits  of  access  Lioaes  is  snown  in  li^iure  5-  lucn  a  policy  is 
inherently  a  lattice  policy- 


li^^ure  p 

oonsiaer  now  a  specific  program  integrity  policy.  According: 
to  tnis  policy,  entities  are  partitioned  into  one  of  four  access 
classes  desic^nated  as  ^ser,  supervisor,  Utility  or  Aernel.  Tne 
sensitivity  of  these  access  classes  is  specifiea  as  ;  r.ernel  > 
Ju^ervisor  >  utility  >  oser.  ae  then  consiaer  an  assi^ynment  to  a 
.lultics  rin^  structure  as  shown  in  Figure  o. 
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oi  iuvctila  rtiXLit/ion  witin  rssptfcti  to  tnio  r/olicy* 

icr  t ii ^ o  -:io ii  i u t ,  ri\^  vioiciXiofio  cdrt:^  possiol©.  ...riBrciors  ,  we 
:*uve  3r*G.vn  tiibit  -iultico  Airx^  ii0cncinioiG  is  suiticisno  to  sup¬ 

port  tuis  rro^Vixx.  Integrity  policy. 


^;iis  issuc  ox  w;icit  lorCi  ox  protsctiopi  tn.0  i'*uxtic3  axh.^ 
*-.ccuaiiisix  pro  vices,  appears  to  oe  precisely  the  issue  that  wall, 
Jones  and  tne  other  aesic^ners  01  the  "aYDRA"  systeoi  were  attempt¬ 
ing  to  wtnaerstana  They  introauce  their  discussion  cy  first 

s  ay  i  n  u  i 


’’Protection  is,  in  our  view,  a  mechanism." 


ineir  aiscussion  then  proceeds  to  maKe  the  following  general 
stateuent  relative  to  tne  iiultics  rin^^s: 


rejection  01  hierarchical  system  structures  anu 
especially  ones  whicn  employ  a  single  hierarcnical  relation 
for  ail  aspects  of  system  interaction,  is  also,  in  part,  a 
conse4^aence  of  the  distinction  between  protection  ana  secu¬ 
rity.  n  failure  to  distinguisn  these  issues  coupled  with  a 
strict  hierarcnical  structure  leans  inevitaoly  to  a  succes¬ 
sion  of  iricreasin^ly  privileged  system  components,  and  ulti¬ 
mately  to  a  "most  privileged"  one ,  wnicn  gain  tnei r 
privilege  exclusively  by  virtue  of  their  position  in  the 
nierarcny.  Sucn  structures  are  inherently  wrong  ..."  [Ibj 


.*aa  the  assignment  technique  been  available  to  the  authors  of 
tile  above  statement,  they  would  nave  been  afforded  a  means  cf 


ut*c;  jcioic  ct  w  i GUiix  fi i  wy  Guiicy*  —  X'iiriiniri^  ji^urs  »  ?jLnu 
i^utTc?  Gy  uu.ciX  riciXG.rG  02  tiric^oS;  tiwo  pOxicicG  13  cippLirGn^* 


_ -reserve _ 

.loaiiy 

r  it-ure  o 

G8  our<5,  tr)6G't^  Gric?x  SufX^GStiuns  uo  nox  ccuplt^  usiy  criS^rGic— 
oeriiie  a  practical  projection  niecrianism.  nc'.vever,  it  appears 
tnat  rint3  xiecnanisuis  are  aaaptaoie  for  t'ne  enforcement  of  various 
simple  nierarcnicai  policies. 


Japability  /.echanisics 


bonsideraole  effort  is  currently  unaerway  to  proviae  rrovaoly 
^ecure  operating  Jysteas  based  upon  the  capability  mechanism 
i^Gyloj.  ^t  IS  import  an  t  to  exam  irie  ivnat  xoi’i-i  ox  protection  o  ap  a— 
cixities  actually  provide . 

dawaoi-;.ity  mecnanisms  primarily  establish  two  xoi^^inance 
domains  ‘^nich  are  enforced  by  the  system  nardware.  ^ne  domain 
consists  of  capaoilit ies y  and  tne  other  is  objects  that  are  not 
ca^aoixities  suen  as  segments  and  directories.  process  taxes 
no  note  of  tnese  dominance  domains ,  however,  because  all 
^recesses  nave  access  to  capabilities  as  well  as  otner  types  of 
oo^^ects.  oO  w'ltn  respect  to  a  ^^rocess,  tiie  ca^. acilitj  mecnanisir4 
^revises  no  inherent  partitioning  of  tlie  system  entities  at  all. 
j.i\  fact,  in  tryirie^  to  determine  tne  structure  of  dominance 


do  u«ai  ns 


or  [ion-capaui  lity  objects. 


we  encounter  a  veritaole 
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rxssi^fiihenx*  :ias  been  snov/n  to  be  a  usei’ui  tecrinivtue  iii 
evaiucitiriej  tne  aufi'iciency  oi  a  mechanism  to  eniorce  a  security 
poiiCj.  'ilais  t^scnni^ue  is  cased  upon  a  foraaiizea  notion  ot‘ 
aomains  ana  txie  lattice  nature  cl  security  policies. 

Inis  metuod  proviaes  consiaeraole  insi^bt  into  the  nature  cl 
access  control.  Characterising^  a  subject  as  a  process-domain 
pair,  we  observe  that  non-discret ionary  protection  is  dependent 
only  upon  tae  dominance  domains  estaolisned  by  the  systems 
mecnanisms  ana  tne  access  relations  between  these  domains.  Ihe 
nature  oi  the  computation  is  irrelevant.  I*urthermore ,  one  can 
ooserve  that  any  protection  policy  can  only  be  implementea  on  a 
computer  system  which  has  some  form  of  system  isolation  pronibit- 
in^;,  tne  users  from  altering  the  system*  s  isolation  method. 

Inis  paper  presents  an  introduction  to  assi^^nment,  ana 
several  simple  examples  have  been  invest  ig^ateu .  Consiaeraole 
researcn  effort  is  still  necessary.  Of  particular  interest  is 
tne  use  of  the  assigrnment  tecnniq^ue  as  a  g^uide  in  the  construc¬ 
tion  of  new  mechanisms  to  meet  classes  of  policies  of  broaa 
interest.  Assit^nment  researcn  has  alreaay  provided  consiaeraole 
insight  to  tne  nature  of  security  enforcement,  providinei  a  means 
of  formally  presenting  tne  characteristics  of  mechanisms  and  pol¬ 
icies.  Mecnanisms  can  be  cate^jorized  by  the  type  of  enforcement 
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